Detecting Forged TCP Reset Packets Authors: Nicholas Weaver, Robin Sommer, Vern Paxon Presented by: Anuj Kalia, Shashank Gupta Abstract Network administrators enforce usage restrictions by terminating connections when deemed undesirable. This is usually achieved by injecting artificial TCP Reset packets into the network. By exploiting the out-of-band nature of injected packets, we can detect interference, and fingerprint the injection device. Motivation To what degree can we detect when a network actively disrupts communication? Deployment of RST injectors: Great Firewall of China: terminates Internet connections deemed undesirable by the Chinese government. Restricting P2P traffic: practiced by multiple ISPs (Comcast), particularly to block bulk transfers such as those of BitTorrent. Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Difference compared to a traditional firewall: All flows are initially allowed through. ◦ Potential blocking decisions are taken later. Techniques used to block communication Assumption: A traffic monitor inspects TCP flows for violation of network policy, and instructs a connection terminator to stop identified flows. Devices to terminate flows: Inline devices: the device ceases to forward packets associated with the flow: a performance bottleneck. Out of path devices are hence preferred. Techniques used to block communication Out of path blocking methods 1. Instruct an in-path device, such as a router, to block the flow. 2. Inject forged TCP FIN packets, one in either direction. 3. Inject forged TCP RST packets, in one direction. The techniques discussed should work with all out-ofband flow termination because passive monitoring faces race conditions. Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA: a) The injector sees a data packet that triggers its decision to terminate the connection. After some time it sends out a fake RST packet. b) During this interval, more packets from the sender may pass the injector’s observation point. c) Receiver gets an RST packet with sequence number less than expected. Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA: seq no =42 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA: seq no=50 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 1. RST_SEQ_DATA: RST, Seq no=42 Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST: a) At the time RST is injected, further packets are already in flight, or will be sent soon: the sender is not yet shut down! b) The receiver will see data packets from the sender after it has received the RST. Detection Toolbox Each detector targets a situation that is likely to indicate the presence of one or more injected RST packets. 2. DATA_SEQ_RST 42 50 Detection Toolbox 3. RST_SEQ_CHANGE: a) By sending multiple RSTs with increasing sequence numbers, an injector increases the likelihood of getting one through. b) It faces the dilemma of having to pick a higher sequence number without knowing what the source will send. c) Look for a back to back pair of RST packets, where the 2nd has a higher sequence number than the 1st, and exceeds the current sequence number. Experiments The detector was run by capturing traffic traces at: 1. ICSI (International Computer Science Institute) 2. UC Berkeley 3. Columbia University 4. George Mason University By correlating the characteristics of injected RST packets across datasets, a number of injectors were identified. Results Sandvine RST injector: Comcast uses RST injection to manage P2P traffic, and their devices have been purchased from Sandvine. Fingerprint: Back to back pair of RST packets, for which the 2nd one has a sequence number 12503 higher than the 1st, and IPID increased by 1. Comcast injection alerts came in bursts: 10 on Feb 9th, 23 on Feb 18th etc. These burst correspond to excessive usage of P2P software by students. Results BezeqInt injector: ◦ ◦ ◦ Always uses IPID 16448 Differing TTL Increments ACK number (?) IPID 256 injector Chinese Firewall injectors ◦ ◦ ◦ IPID 64 injector IPID -26 injector SEQ 1460 injector QUESTIONS?